Commit 3a7e591c authored Feb 10, 2025 by Marco Nelissen Committed by Long Li Feb 10, 2025

iomap: avoid avoid truncating 64-bit offset to 32 bits

mainline inclusion
from mainline-v6.10-rc2
commit c13094b894de289514d84b8db56d1f2931a0bade
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBJXF0
CVE: CVE-2025-21667

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c13094b894de289514d84b8db56d1f2931a0bade



--------------------------------

on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a
32-bit position due to folio_next_index() returning an unsigned long.
This could lead to an infinite loop when writing to an xfs filesystem.

Signed-off-by: Marco Nelissen <marco.nelissen@gmail.com>
Link: https://lore.kernel.org/r/20250109041253.2494374-1-marco.nelissen@gmail.com


Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Conflicts:
	fs/iomap/buffered-io.c
[Conflicts due to not merged 492f53758fad ("iomap: pass the iomap to the
punch callback")]
Signed-off-by: Long Li <leo.lilong@huawei.com>

parent eb34e75a

fs/iomap/buffered-io.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1221,7 +1221,7 @@ static int iomap_write_delalloc_scan(struct inode *inode,
		}

		/* move offset to start of next folio in range */
		start_byte = folio_next_index(folio) << PAGE_SHIFT;
		start_byte = folio_pos(folio) + folio_size(folio);
		folio_unlock(folio);
		folio_put(folio);
		}